Hey All,
Been slaving away on some fancy scripts to allow the use of IPv6 on RouterOS hotspots.
Please note this is an alpha release, I've confirmed it works (90% of the time) with Window 7 but have built some checks in to help it along.
I welcome any feedback/suggestions on the scripting/improvements or if you have any questions feel free to post them here.
Here's a dump of my default config for this
Note you'll need to:
1. change interface names from 'hotspot' to match your own
2. change your own hotspot user profile to include the "on login" and "on logout" scripts.
This is running on v4.10 however I DO NOT recommend using this in any production environments.
Code: Select all
/ipv6 nd
add advertise-dns=yes advertise-mac-address=yes disabled=no hop-limit=unspecified interface=hotspot managed-address-configuration=yes mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m reachable-time=1m retransmit-interval=10s
/system scheduler
add comment="Check for any new addresses" disabled=no interval=30s name=run-ipv6-auth-check on-event="/system script run ipv6-auth-check" policy=read,write start-date=jan/01/1970 start-time=00:00:00
/system script
add name=ipv6-auth-check policy=read,write,winbox source="#IPv6 authentication script for RouterOS\r\
\n#Tested on v4.10\r\
\n\r\
\n:local line\r\
\n:local maccheck\r\
\n:local mac\r\
\n:local ipv6\r\
\n:local mapping\r\
\n\r\
\n#Loop through each ipv6 address line in the hotspot-auth list\r\
\n# Get the pre-stored mac address variable from the comment\r\
\n# If an active hotspot listing doesn't exist for this mac address:\r\
\n# Remove the address-list line\r\
\n# End of if segement\r\
\n#End of foreach segment\r\
\n\r\
\n:foreach line in=[/ipv6 firewall address-list find list=\"hotspot-auth\"] do={\r\
\n :set maccheck [/ipv6 firewall address-list get \$line comment]\r\
\n :if ([/ip hotspot active find mac-address=\$maccheck] =\"\") do={\r\
\n /ipv6 firewall address-list remove \$line\r\
\n }\r\
\n}\r\
\n\r\
\n#Loop through active hotspot user lines\r\
\n# Set mac varible to match currently selected lines mac-address value\r\
\n# For each listing in neighbour discovery table with the same mac address\r\
\n# Set ipv6 variable to match currently selected lines address value\r\
\n# If no listing exists in the \"hotspot-auth\" list with the same ip address:\r\
\n# Create a new \"hotspot-auth\" address list entry with the ipv6 address variable and comment set to the mac address\r\
\n# End of if segment\r\
\n# End of foreach segment\r\
\n#End of foreach segment\r\
\n\r\
\n:foreach line in=[/ip hotspot active find] do={\r\
\n :set mac [/ip hotspot active get \$line mac-address]\r\
\n :foreach mapping in=[/ipv6 neighbor find mac-address=\$mac] do={\r\
\n :set ipv6 [/ipv6 neighbor get \$mapping address]\r\
\n if ([/ipv6 firewall address-list find list=\"hotspot-auth\" address=\"\$ipv6/128\"]= \"\") do={\r\
\n /ipv6 firewall address-list add address=\$ipv6 list=hotspot-auth comment=\"\$mac\"\r\
\n }\r\
\n }\r\
\n}"
/ipv6 firewall filter
add action=accept chain=forward comment="Accept local to local connections on link-local or public address range" disabled=no in-interface=hotspot out-interface=hotspot
add action=accept chain=forward comment="Allow outbound traffic from any IPv6 address on the \"hotspot-auth\" list" disabled=no in-interface=hotspot src-address-list=hotspot-auth
add action=reject chain=forward comment="Reject traffic not in \"hotspot-auth\" list" disabled=no in-interface=hotspot
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default on-login="/system script run ipv6-auth-check" on-logout="/system script run ipv6-auth-check" shared-users=1 status-autorefresh=1m transparent-proxy=no
DNS64 & NAT64